A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Killsuit: The Equation Group's Swiss Army knife for persistence, evasion, and data exfil - Francisco Donoso Derbycon 2018 (Hacking Illustrated Series InfoSec Tutorial Videos)

Killsuit: The Equation Group's Swiss Army knife for persistence, evasion, and data exfil
Francisco Donoso
Derbycon 2018

Most researchers have focused on the Equation Group's brilliant exploits but very few researchers have focused on their extremely effective post exploitation capabilities. During this talk, we will dissect the KillSuit framework, the Equation Group's Swiss Army Knife for persistence, information gathering, defense evasion, and data exfiltration. KillSuit is a little-known part of the DanderSpritz post-exploitation toolkit, leaked by the Shadow Brokers in April 2017. KillSuit is a full featured and versatile framework used by a variety of the Equation Group's tools and implants. KillSuit provides the ability to stealthily establish persistence on machines, install keyloggers, packet capture tools, perform WiFi MITM, and other more information gathering tools. Killsuit includes many interesting ways to silently exfiltrate data and intel - including custom written IPSEC-like protocols and misuse of ""disabled"" WIFI cards and near-by open networks.

Francisco currently runs a Managed Security Service Architecture team for a large multi-national computer security company. His passion and hobby is researching and understanding Nation-State hacking capabilities and tools. He has been on the forefront of research into the Equation Group’s post-exploitation tools and capabilities since their release by the Shadow Brokers and has spoken about this research at Derbycon, Thotcon, and other conferences.

@Francisckrs

Back to Derbycon 2018 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast